-
Identity and Context Virtualization The Key to Your IdM
Architecture
-
Everything You Know About IdM Is WrongNeil McDonald, Gartner IAM
Summit
-
Gartner: Contextual Virtual Identity"By year-end 2009, 80
percent of organizations deploying IAM solutions will use virtual
directory technology as part of the IAM infrastructure"
-
Its About Virtualizing Both Identity and Context
-
Virtual Directories: Valuable Present, Promising FutureMark
Diodati, Burton Group Market Leader
TheRadiant Logic VDS product has been in the market for 8 years
and is the leader in the virtual directory market
-
Customer ImplementationVision / NirvanaA Single Secure Identity
ServiceSeamless Authentication & Authorization Single point to
provision accessInternal & External UsersLevels of
Authentication based upon riskEasier access to user object data
-
Customer ImplementationIdentity Architecture
-
Our Customers are our Best Testimonials
-
Identity and Context VirtualizationOne Infrastructure: Many
Services
-
Top 4 Common Use Cases for Identity and Context
VirtualizationAuthentication (WAM, Portal, SM, TAM, RSA,
Ping)Integrating identities: Internal vs. External,
Employees/CustomersetcThe challenges and opportunities brought by
Active DirectoryMultiple domains/forests
Authorization (Roles, Rules, SM, RSA,TAM, Policy Server)The
challenges and opportunities brought by Active DirectoryContext are
generally defined in applications that use databases
Delegated Administrationsegregation of duties specialized
contextual views
Global/Enterprise Information Server for structured data (moving
from a directory as a context server)
-
Use Case: Authentication(Identity Union)Challenges:First step in
authentication is identification (finding the user entry that needs
to authenticate)Identities are spread across multiple data sources
(e.g. multiple AD domains/forestsetc)Identities are described
differently in each source (e.g. FirstName vs. fname vs.
givenName)Second step is credentials checking. Each source supports
its own authentication mechanism Different encryption of passwords
and schema elements (userPassword vs. unicodePwdetc).Existing
internal user IDs, passwords in Active DirectoryExternal users
credentials may be stored elsewhere (SunOne, Oracleetc)
Virtualization solves the authentication problemAggregating
users from multiple data sources (allow applications to search one
common namespace to find the user)Credentials checking can be
handled at the virtual directory layer, or by the underlying source
(delegated authentication)
-
Three Main Challenges Associated with the Identification
(Search) Phase of the AuthenticationLocating the user where to
search for themIf there is more than one place, the challenge
becomes where to search and in which order Having a common
representation of the user info Schema conversion, objectclass and
attributes mapping (e.g. InetorgPerson in Sun vs. User in AD, vs
person table in database)Distinguishing between the different
identifiers for the same person. LCallahan, LauraC
-
Authentication Step 1: IdentificationLocate the user entry
(based on who logs in)DatabasesDirectoriesApplicationsUser
information spread across multiple heterogeneous sources and stored
differently
-
Example: Identification Challenges with Multiple Active
Directory Forests/Domainso=vdsou=AD
Listou=AD3ou=AD2ou=AD1dc=usou=internalcn=novato_branchActive Dir
Domain 1ou=salesou=tempsdc=us.corpou=groupsActive Dir Domain
2ou=Adminou=Condc=cisou=deptActive Dir Domain
3ou=salesou=mktgVDS
-
Identification: Create an Aggregated List of User
EntriesAggregation/linking establish a complete list of User
EntriesAll schemas are mapped to a common schemaAll users can be
found/identified in the virtual namespace
-
Aggregation vs. Integration: Union, Intersection (correlation
where needed)Reduced sign on is possible only if an identity exists
(and has been be detected/correlated) across different security
domains
-
Authentication Step 2: Credentials CheckingAuthentication
MechanismPassword encryptions
DatabasesDirectoriesApplicationsPasswords encrypted using custom
algorithmPasswords encrypted using SSHAPasswords encrypted using
custom algorithm
-
Authentication Step 2: Credential CheckingMultiple
authentication mechanisms supportedDelegated authentication bind
request will be sent to underlying directory for processingCustom
scripting to leverage the appropriate encryption
algorithmClientAuthentication Request
-
Example: Proxy Authentication Back to the Right Active Directory
Domain Controller in a Specific ForestClientAuthentication
RequestADunicodePwdsAMAccountNameAuthentication request forwarded
to Active DirectoryVDSRE-USE existing users + credentials!
-
Fifth Third Bank | All Rights Reserved
*
Identity Management (IdM) Technology Stack
Virtual Directory Services (VDS)
Provisioning Engine
Enterprise Directory (ED)
RSA ClearTrust Web Access Management (WAM)
CRM
Mobius
5/3 Direct
53.com
Remote Wire
HR Direct
Other Apps
Primary Identity Store
Enterprise Directory (Sun)
VDS (Radiant)
Provisioning Engine (BMC)
RAFT
Top Secret
AD
Data Warehouse
Application Access Points
Application Layer
Workflow / Provisioning
Directory Adaptor / Common Interfaces
Clean IdM Start. Applications in this picture with VDS use cases
identified or in development include: CRM, Direct, 53.com, and
Remote Wire.
-
Use Case: Authorization(Join)Challenges:Profile information
exists in multiple data sourcesData sources have their own schema
elementsAttributes are different and stored differentlyEach source
has its own schema (e.g. user AD vs. inetOrgPerson Sun vs. Employee
table Oracle)AttributesmemberOf (AD) groupOfNames
(eDirectory)posixGroup (OpenLDAP)Inflexible schema extensions
(AD)
Virtualization solves the authorization problemProvides a common
schema that all sources can map toAggregates profile information
which provides more context about a userWeb access management
products can base policy decisions on the information available in
the VDSMore attributes available = more fine-grained policies
possible
-
Deployment Details: Schema ExtensionsUSER
OBJECTemailpasswordmemberOfdeptEXTUSER
OBJECTloginShelluidNumberhome directoryADClient(e.g. TAM requires
schema extensions, integrating UNIX/AD posix attributesetc)Access
AD attributes plus the required extended attributes
-
Build a Complete ProfileJoin build a complete, unique profile
from information in all data sourcescn = Laura Callahan
[email protected] title=Sales Manager employeeID=8
FullName = Laura Callahan ProjectID=2019 UserID=8
First_Name = Laura Last_Name = Callahan Department = Sales
EmployeeNo=8
FullName = Laura Callahan [email protected] title=Sales Manager
employeeID=8 ProjectID=2019 Department=Sales
ClientCan base authorization on complete profile
-
Customer ImplementationVirtual Directory Role
-
Use Case: Delivering Data in Context
Challenge:For Delegated AdministrationExisting hierarchies are
relatively flat making them easier to maintain and manage.However,
this limits the usefulness of delegated administrationDelegated
administration requires a hierarchy based on how you want to
delegate
How does a virtualization layer deliver data in
context?Reconfigure existing directory trees to make more
meaningful views for delegated administrationBased on the data
available in the entries, different hierarchies are possible (e.g.
based on: Country -> State -> City, Management (org chart),
Job Descriptionetc)
-
Virtual View Based on LocationCountryStateCity
-
Virtual View Based on Org ChartTop ManagerFull Management
Hierarchy
-
Virtual View Based on Role, Location and
TerritoryRoleLocationTerritory
-
Use Case: Global Directory and Enterprise searchProblems:Mergers
and Acquisitions result in numerous enterprise
directories/databases that require integration/aggregationActive
DirectoryHR SystemsCustomer databasesOften times, applications that
consume data can only connect to a single directory
How does a virtualization layer help build a Global/Enterprise
Directory?Aggregate multiple data sources into a common directory
namespaceNo changes (to schema or data) required in the underlying
directoriesFast implementation and configurationRe-use existing
data rather than rebuild a new directory where data is synchronized
into.
-
Customer Implementation7Abstraction Layers
-
Aggregate Existing Data SourcesHelp
DeskERPHRKnowledgeManagementWhite PagesCRMClientTalk to a single
directorydc=Global Directory
-
Data Sources with Common Users (with existing common key)With
unique common keyJoins based on common key
cn = Laura Callahan [email protected] title=Sales Manager
employeeID=8
FullName = Laura Callahan ProjectID=2019 UserID=8
First_Name = Laura Last_Name = Callahan Department = Sales
EmployeeNo=8
FullName = Laura Callahan [email protected] title=Sales Manager
employeeID=8 ProjectID=2019 Department=Sales
-
Data Sources with Common Users (NO Existing Common Key)Without
unique common keyVirtualization alone cannot detect duplicate
usersRequires Identity correlation and reconciliationMatching rules
to determine common users across the sources
HRAccountingCRMGlobal Identity HubReference/pointersData
SourcesMatching RulesGlobal Directory Entry
-
Customer Implementation
-
Customer Implementation
is essentially an integration challenge the lack of an
integrated view of identityOne entry point to access all Active
Directory domains/forests (mount all AD domains into the virtual
namespace)* Here mention that will revisit this case a bit later
when we look at the existence of a common key /identifier across
the virtualized sources
